You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q

Apache Log4j2 version <2.15.0 is a part of the following products in these versions:

CATIA Magic portfolio

  • Magic Collaboration Studio (release 2021x2021x Refresh1, 2021x Refresh2, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
  • Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
  • Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)

No Magic portfolio

  • Teamwork Cloud (release 2021x, 2021x Refresh1, 2021x Refresh2, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Cameo Collaborator for Teamwork Cloud (release  2021x2021x Refresh1, 2021x Refresh2, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • MagicDraw (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
  • Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)

 

Remediation

For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)

Option 1

  1. Download the latest log4j 2.15.0 patched version .
  2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

Example:

  • if found: log4j-core-2.11.2.jar
  • then remove log4j-core-2.11.2.jar
  • copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
  • repeat for any other log4j 2.x file found.

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

Option 2

If you cannot upgrade log4j, you may add 

 -Dlog4j.formatMsgNoLookups=true

as a command line option or add

log4j.formatMsgNoLookups=true

to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.propertiescsm.propertiescameoea.properties) on the classpath to prevent lookups in the log event message.

 

For collaboration tools (Magic Collaboration Studio 19.0 SP2 - 19.0 SP4, Cameo Collaborator for Teamwork Cloud 19.0 SP1-SP4, Teamwork Cloud 19. SP1 - SP4)

Option 1

Please add 

 -Dlog4j.formatMsgNoLookups=true

as a command line option or add

log4j.formatMsgNoLookups=true

to a <modeling tool installation directory>\bin\<modeling tool>.properties file (e.g. magicdraw.propertiescsm.propertiescameoea.properties) on the classpath to prevent lookups in the log event message.


Option 2 (more complicated)

  1. Download the latest log4j 2.15.0 patched version .
  2. Replace all log4j 2.x jar files with their respective equivalents from the downloaded version 2.15.0 zip file while keeping the original file name.

Example:

  • if found: log4j-core-2.11.2.jar
  • then remove log4j-core-2.11.2.jar
  • copy log4j-core-2.15.0.jar over to log4j-core-2.11.2.jar
  • repeat for any other log4j 2.x file found.

See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability. 

 

The following products and versions are NOT affected:

CATIA Magic portfolio

  • Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
  • Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)

No Magic portfolio

  • Teamwork Cloud (release 19.0) 
  • Cameo Collaborator for Teamwork Cloud (release 19.0) 
  • MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
  • Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)